On Tue, 2021-11-02 at 09:52 +0100, Benoit Panizzon wrote:
> Hi SA Community
>
You can find out quite a lot about a spamming site with a few common
commandline tools:
- 'ping' tells you of the hostname part of the UREL is valid
- 'host hostname' should get the sender's IP
- 'host ip' IOW a reverse host lookup, tells yo if the first
sender address was an alias
- 'lynx hostname' lets you see if there's a website there, which is
often useful (when prompted to accept cookies hitÂ
'V' to never accept them. This is IMO safer then
using Firefox etc because lynx shows all pages as
plaintext.
Generally using those in the sequence I've listed them tells me enough
to decide whether to treat the site as a spam source.
In this case, either feed that URL to your favourite blacklist or write
a local rule that fires if that url you spotted is in body text.
I've recently started to see regular Google gmail spam. This looks like
boring sex spam, but that's probably a disguise since it contains
attachments with suspicious (i.e. executable) file types. Fortunately, a
more complex rule, built from a set of subrules, that I wrote years ago
to trap mail with this sort of attachment is catching them now.
Martin
